stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/policy/unknowns-decay-and-triage-queue.md

3.5 KiB
Raw Blame History

Unknowns Decay and Triage Queue

Module

Policy

Status

IMPLEMENTED

Description

Unknowns ranking and API endpoints exist. BlastRadius model present with database migration. The full time-based decay algorithm and containment signals ranking were identified as gaps in the archive manifest.

What's Implemented

  • DecayedConfidenceCalculator: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs
    • Exponential decay formula: max(floor, baseConfidence * exp(-ln(2) * ageDays / halfLifeDays))
    • Configurable half-life (default 14 days) and floor
    • OpenTelemetry histogram: stellaops_determinization_decay_multiplier
  • ObservationDecay: src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs
    • Per-observation decay state: BaseConfidence, ObservedAt, HalfLifeDays=14, Floor=0.35, StalenessThreshold=0.50
    • CalculateDecay(now): computes current decayed confidence
    • CheckIsStale(now): returns true when decayed confidence falls below staleness threshold
    • Factory methods: Create(), Fresh(), WithSettings()
  • UnknownRanker (from unchecked features): two-factor scoring Uncertainty*50 + ExploitPressure*50
    • Containment reduction capped at 40%
    • Band assignment: Hot>=75, Warm>=50, Cold>=25, Ice<25
  • UncertaintyScoreCalculator: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs
    • Entropy-based uncertainty from 6 signal dimensions
    • Signal gap tracking (which signals are missing)
  • Risk budget API endpoints (from unchecked features): budget tracking, ledger, Green/Yellow/Red/Exhausted thresholds
  • Unknown budget policy enforcement (from unchecked features): UncertaintyTierGate (gate 4 in pipeline)

What's Missing

  • Time-based decay triage queue: No service that automatically re-queues unknowns for triage when their confidence decays below the staleness threshold
  • Triage queue UI: No frontend triage interface showing unknowns sorted by decay urgency
  • Automated re-analysis triggering: ObservationDecay tracks staleness but no event-driven mechanism triggers re-analysis when an unknown becomes stale
  • Containment signal integration: The advisory describes containment signals (WAF rules, network segmentation, runtime controls) reducing unknown scores -- this is partially in UnknownRanker but not connected to real containment data sources
  • Decay notification: No notification system alerting when high-priority unknowns decay below acceptable confidence
  • Historical decay tracking: DecayedConfidenceCalculator computes point-in-time decay but no ledger tracks confidence decay history over time

Implementation Plan

  • Create UnknownTriageQueueService that periodically evaluates ObservationDecay.CheckIsStale() and queues stale unknowns for re-analysis
  • Add event-driven triggers (e.g., background job or message queue) when confidence drops below threshold
  • Build triage queue frontend component showing unknowns sorted by urgency (band + decay rate)
  • Integrate containment signal sources (WAF, network, runtime) as inputs to UnknownRanker
  • Add decay history ledger for audit trail

Related Documentation

  • Decay calculator: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs
  • Observation decay model: src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs
  • Unknowns ranking (unchecked): docs/features/unchecked/policy/unknowns-ranking-algorithm.md